Get serious about consumer data protection

With the CCPA coming hot on the heels of the GDPR it makes sense to get your consumer data management in order. Taking steps to protect all private data today will pay dividends tomorrow.

Thinkstock

The idea that organizations should be doing more to protect the personal data they hold about individuals has been gaining ground in recent years. The European Union’s General Data Protection Regulation (GDPR) sparked a scramble to operationalize data management and security. If you thought that it was a one-off, then the incoming California Consumer Privacy Act (CCPA) may have been a nasty surprise, but it really shouldn’t have been.

A sea-change in attitudes and government willingness to legislate to protect individual privacy is sending a clear message that organizations need to get their data handling in order. High profile data breaches are expensive and worryingly commonplace. When they do occur, they’re often woefully mishandled, but an increase in punitive fines and public frustration strongly suggests that the smart move is to get your data management strategy in place today.

A new level of transparency

Many companies that may have buried their heads in the sand in the past are now coming clean about breaches under the threat of fines. The potential cost of non-compliance with the GDPR is high and the same is true of the incoming CCPA which goes into effect on January 1, 2020, and slaps fines of up to $7,500 per record for violations that aren’t resolved within 30 days. It may also expose companies to class action lawsuits and the risk of being sued by individuals when guidelines are violated, even when there’s no actual breach.

The GDPR only came into effect in May, but we can already see the scale of data breaches that were likely going unreported before the law changed. The GDPR stipulates that companies must report breaches within 72 hours of becoming aware of them. The Information Commissioner's Office (ICO) in the U.K., one of the bodies to which organizations must report breaches, recently revealed that reports of breaches went from around 400 in March and April to 700 in May and then jumped to 1,750 in June – the first full month after GDPR went into effect.

The CCPA has a broader definition of personal data than the GDPR, so while compliance with GDPR is likely to stand organizations in good stead to prepare for CCPA, there may still be more to do. It may be tempting to do the bare minimum and wait for further legislation, but all you’re doing is deferring work and shifting the burden down the line.

Striving for more transparency and better data privacy protections now is the right decision both financially and ethically.

Reassess your data collection practices

Before poring through the guidelines and drawing up a plan of attack it’s a good idea to take a step back and assess the data your organization collects. Begin by ensuring that you know precisely where all your data is and cast a critical eye over your justifications for collecting it in the first place. The initial promise of big data encouraged many organizations to hoard data in hopes of working out how to monetize it or extract insights later, but this attitude could prove disastrous in the current climate.

Consider streamlining your data collection to what actually produces value and reduce it down at the point of collection wherever possible. Reducing the amount of data you collect can also reduce your potential exposure, not to mention the associated costs in terms of network traffic, processing, and storage. With a clear picture of the data you need and when and where it’s collected and stored, you can move on to strategizing about how to manage and protect it effectively.

The right of access and choice

Two important principles that are enshrined in data protection legislation are the right for individuals to access the personal data you hold on them and the power to opt out. They may also want to find out what you’ve done with their data, specifically what third-parties it has been shared with or sold to. Requests for information will have to be met within a reasonable timeframe, so there needs to be a system in place that’s efficient and secure.

Where organizations have anonymized and aggregated data some of the new legislation could make life very difficult. What happens when someone wants to withdraw their personal data? Can it be extracted in a timely manner? It may prove sensible to craft a data strategy that takes these considerations into account.

Proper storage and breach procedures

Encrypting data and limiting access is obviously essential, but the challenge of introducing greater transparency without comprising security is one that requires some serious thought. When the worst does happen, as it inevitably will from time to time, organizations must have proper procedures in place that alert the right responsible people and trigger an investigation that can be used to report the breach and serve as the basis for mitigation.

When responsibilities are unclear, or action is discretionary, problems will arise. Clarity in your procedures is vital if you want to meet reporting requirements, identify the source of the breach, and act to resolve it as quickly as possible.

A proactive approach to data protection and efficient management today could drastically the reduce the potential expense and risk of disruption that further legislation poses.

Michelle Drolet is founder of Towerwall, a small, woman-owned data security services provider in Framingham, MA, with clients such as Smith & Wesson, Middlesex Savings Bank, WGBH, Covenant Healthcare and many mid-size organizations. She can be reached at michelled@towerwall.com.